疑似中文黑产组织利用GeoServer漏洞CVE-2024-36401挖矿的详细技术分析 | CTF导航
Tags
| attack-pattern: | Cron - T1053.003 Connection Proxy - T1090 |
Common Information
| Type | Value |
|---|---|
| UUID | 7a34faec-7eab-444b-a1ff-8d136c91f512 |
| Fingerprint | 6d2b2b30c2e8d66f |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | Sept. 8, 2024, midnight |
| Added to db | Sept. 8, 2024, 10:41 a.m. |
| Last updated | Nov. 17, 2024, 6:31 p.m. |
| Headline | 疑似中文黑产组织利用GeoServer漏洞CVE-2024-36401挖矿的详细技术分析 |
| Title | 疑似中文黑产组织利用GeoServer漏洞CVE-2024-36401挖矿的详细技术分析 | CTF导航 |
| Detected Hints/Tags/Attributes | 15/1/117 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.ctfiot.com/204136.html |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 426 | ✔ | CTF导航 | https://www.ctfiot.com/feed | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 56 | cve-2024-36401 |
|
| Details | Domain | 4 | bots.gxz.me |
|
| Details | Domain | 2 | trcpay.xyz |
|
| Details | Domain | 4 | sdfasdfsf.9527527.xyz |
|
| Details | Domain | 4 | gsdasdfadfs.9527527.xyz |
|
| Details | Domain | 31 | pool.supportxmr.com |
|
| Details | Domain | 3 | asdfghjk.youdontcare.com |
|
| Details | Domain | 8 | config.sh |
|
| Details | Domain | 4 | remote.sh |
|
| Details | Domain | 6 | download765.online |
|
| Details | Domain | 5 | oss.17ww.vip |
|
| Details | Domain | 24 | test.sh |
|
| Details | Domain | 4 | ec2-54-191-168-81.us-west-2.compute.amazonaws.com |
|
| Details | Domain | 4 | ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com |
|
| Details | Domain | 13 | cron.sh |
|
| Details | Domain | 5 | check.sh |
|
| Details | Domain | 4 | secure.systemupdatecdn.de |
|
| Details | File | 62 | taskhost.exe |
|
| Details | File | 153 | config.json |
|
| Details | File | 4 | 21929e87-85ff-4e98-a837-ae0079c9c860.txt |
|
| Details | sha256 | 4 | b80e9466b7bb42959c29546b8c052e67fcaa0f591857617457d5d28348bd8860 |
|
| Details | sha256 | 4 | d9e8b390f8e2e8a6c2308c723a6a812f59c055ecad4e9098a120e5c4c65d3905 |
|
| Details | sha256 | 4 | 79c9532fb6ef2742e207498bfe2b2ee09aa9773376ac0e56085083aab17b98be |
|
| Details | sha256 | 4 | 5cc7e35254347f705422800bfb7fe29c6002e2537f6bac0ff996a720dfb5f48e |
|
| Details | sha256 | 4 | fabbb4611fb9df5d8f208d9353be0b73c3942fe78903da096cbfe2f47c9e3566 |
|
| Details | sha256 | 4 | 1588bee7db42495ba7e6e34d217e6b82c5ab93f27c1eea68435cbb9e7792f9be |
|
| Details | sha256 | 4 | e8b0f5a952f07c83c4d67809ac0715c7164d518323d8038542e84aab8456db43 |
|
| Details | sha256 | 4 | 3c73ebc7a85accc65c9ee5bf151f70b990e5a12f27a843ca21c0f9d9a10fd17d |
|
| Details | sha256 | 4 | 9bf642a7e14f0a0b0a784f00a0d1cf590ac60ae5ae378d29d435519f4d9dbf2b |
|
| Details | sha256 | 4 | 994b924b00fb56e12a6a987c4cdf65dd05a221c47b5fc0a7a2babf1f05c2ed38 |
|
| Details | sha256 | 4 | c226744b40e8f5d2cf95b4fb2537ff00e222ecc2d24c5096ecfadb14b4a47f97 |
|
| Details | sha256 | 4 | 96cf27a66b629d2b19708c6887441a8422b40dc0e9e7c5c0f2212efe0b6b3323 |
|
| Details | sha256 | 4 | b3a015b6650ec9800fa878ff9a5f732013806c8dcb0e7069515dae0dd380fda4 |
|
| Details | sha256 | 4 | 50b7e615b8cdc45486b6ed1c1c081c7a92c262edb84318fa864531dcab753f82 |
|
| Details | sha256 | 4 | f7b97677b6387c1f02d429e98868bf6973a8dec14dfee2516a27e885d6b1c780 |
|
| Details | sha256 | 4 | b60d7fb66caf103a04e81fb89dbb05111b4b0ef513f3769c8e0a8106ab01a075 |
|
| Details | sha256 | 4 | a9e7b5284182d3881c865895ee6e0fb03273eec3dcbf4bfc82dd2b069245beae |
|
| Details | sha256 | 4 | c3101b0b74d76a95ba91b6cc4945657e928d2dac8fdf926ffbf09031d46e9186 |
|
| Details | sha256 | 4 | b67ab1b9b66fdc2c4ed1689698a54a347c2bdd6eaff87039ae337675243670d8 |
|
| Details | sha256 | 4 | 83fb74bb852bbd722e6ebc4e249e49cb4bb4194493a26d62d4bfcdfca2998412 |
|
| Details | sha256 | 4 | 53994a35a57970dea48e97009f65ad045b69a83234b771b106446211376a6866 |
|
| Details | sha256 | 4 | f3d3572ef96c9c59e137425ca6804e1b86b7f8b57210a3724d567017460774de |
|
| Details | sha256 | 5 | 1af8e068aa7377f0055640af581a412aa9d7288c912a93dd0d739657af0079fb |
|
| Details | sha256 | 5 | 1abd8cbd64d1d9c8d56b7ea6273ed62e1471f300fabc67dbc2416a48e2faf33d |
|
| Details | sha256 | 5 | addccd0ecb643251af2e79e878b19a8e9c8f1c87302e732ef057cdba821f4b30 |
|
| Details | sha256 | 5 | d9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a |
|
| Details | sha256 | 5 | 8d3440301bc94ed83cdafb69e4b0166d3a0020eb4f38e9fa159c2f13f14b2d29 |
|
| Details | sha256 | 5 | a13a979f4ca57450528bb6cd7aa2bf47d2eea211053eb1a14b8c4a44fd661831 |
|
| Details | sha256 | 5 | 7194ec436231c2a383ffc7c75eef4f5b5a952c18fa176ffd0830667835a80533 |
|
| Details | sha256 | 4 | 20d97f144bf7b1662a13ac537715126b9b2f68eff46a4a09234743ae236f0177 |
|
| Details | sha256 | 4 | d72e4cabffc84a31e50caf827b6e579cf6e4932e5cbc528a65a68728ba56b65b |
|
| Details | sha256 | 4 | 5abf8a52d45f6d5970fab8d1dfd05b6ee7b0ef57df935f45761b89d3522fa592 |
|
| Details | sha256 | 4 | 24e80d66759b1c7a075aeb4fe0321eb6ac49eaf509089fd2882874ec6228d085 |
|
| Details | sha256 | 4 | 7355cc094f2e43e4dd7b8b698b559abe6d2d74cc48f5cfa464424314c6e41944 |
|
| Details | sha256 | 4 | 689504850db842365cd47eadd2d3d42888b9261e7d9e884f14bb7deeb21bb61d |
|
| Details | sha256 | 4 | 762707f2c7fc4731c4c46ecb3364a4e7ace8984aa899cc57c624b342d3efa03f |
|
| Details | sha256 | 4 | 4234eb5eb42fbe44d7163c4388d263b3fe57fb1e56bf56152ac352c3fd0beec0 |
|
| Details | sha256 | 4 | 373734730d8414d32883ebbd105c7a7c58397df995759c4e0bd367f2523d302d |
|
| Details | sha256 | 4 | d1d25730122f8bc125251832c6af03aedd705dfcc2d9eebcce4371c54bb84b39 |
|
| Details | sha256 | 4 | 3dce929b1c091abac3342788624f1ffa4be5d603eec4d7ab39b604694ac05d22 |
|
| Details | sha256 | 4 | eb2f95bb2059a3690259f2c0d7537b3cad858869650b9c220d2d81e3720b6dde |
|
| Details | sha256 | 4 | 2e0e324e36fafe71f5d2bcf521e6415dafbc3f1173ad77f1f3daa77bb581da5f |
|
| Details | sha256 | 4 | 5d9eb83b4a6f2d49580e1658263eb972be336a2cad15a84561d17d59391191b0 |
|
| Details | sha256 | 4 | 75d7b6264f5a574bc75400c9d57282e9344d8b2df576ad2a36ab7e2575d5a395 |
|
| Details | sha256 | 4 | e5e5122ba6d0b06f7ed8e57ab5324ae730970c0d23913f27b9ecc9094182c03d |
|
| Details | sha256 | 5 | 275302d03a4378f1b852e6d783d3181c2899ae0e9ebad4c7160221320863c425 |
|
| Details | sha256 | 5 | 653a4ad0b00e59a01142f899b6aac9712cfb25063b5b9b2e7e3171f7f3a897ed |
|
| Details | sha256 | 4 | 8fad39ec0671d9b401712ddbc1f24942b2ee2f4865b6ffcd2f019036e03cbade |
|
| Details | sha256 | 4 | c8b76b63644d2946fd0af72b48fa59f07a78e1f84464cff5e9b1ca4110e6113e |
|
| Details | sha256 | 5 | 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab |
|
| Details | sha256 | 4 | 7d052cffcf97b303d11c5d35fa9bc860155601cdea21e38447401571b35d2db1 |
|
| Details | sha256 | 4 | c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819 |
|
| Details | sha256 | 4 | bf56711bbe0b1dac3b1481d36e7ae2f312da5f404c554c2c45a01fe591b8464d |
|
| Details | sha256 | 4 | 5c9722d3dc72dbeafec00256887867bad46d347a5fc797d57fc9e0fd317035d3 |
|
| Details | sha256 | 4 | 3369ddc627282eb38346e1a56118026dd3ccdb29b18ffff88ecf3663296ee6da |
|
| Details | IPv4 | 4 | 181.214.58.14 |
|
| Details | IPv4 | 4 | 47.253.46.11 |
|
| Details | IPv4 | 3 | 47.253.83.86 |
|
| Details | IPv4 | 4 | 188.214.27.50 |
|
| Details | IPv4 | 4 | 59.59.59.59 |
|
| Details | IPv4 | 4 | 209.146.124.181 |
|
| Details | IPv4 | 4 | 95.85.93.196 |
|
| Details | IPv4 | 4 | 112.133.194.254 |
|
| Details | Url | 4 | http://181.214.58.14:61231/remote.sh |
|
| Details | Url | 4 | http://1.download765.online/d |
|
| Details | Url | 2 | http://188.214.27.50:4782 |
|
| Details | Url | 3 | http://209.146.124.181:8030 |
|
| Details | Url | 1 | http://209.146.124.181:8030”时,我们发现它被构建为hfs(http文件服务器),并且两个恶意工具——“linux2.4”(另一个僵尸网络)和“taskhost.exe |
|
| Details | Url | 1 | http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh”下载脚本,并将其保存为temp文件夹中的script.sh |
|
| Details | Url | 1 | http://repositorylinux.com”下载“linux.sh”。“linux.sh |
|
| Details | Url | 3 | http://95.85.93.196:80/asdfakjg.sh |
|
| Details | Url | 4 | http://188.214.27.50:4782/sky |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.arm |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.arm5 |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.arm6 |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.arm7 |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.m68k |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.mips |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.mpsl |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.ppc |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.sh4 |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.x86 |
|
| Details | Url | 4 | http://209.146.124.181:8030/bot.x86_64 |
|
| Details | Url | 4 | http://209.146.124.181:8030/jrlinux |
|
| Details | Url | 4 | http://209.146.124.181:8030/linux2.4 |
|
| Details | Url | 4 | http://209.146.124.181:8030/linux2.6 |
|
| Details | Url | 4 | http://209.146.124.181:8030/taskhost.exe |
|
| Details | Url | 4 | http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh |
|
| Details | Url | 4 | http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/sshd |
|
| Details | Url | 4 | http://ec2-54-191-168-81.us-west-2.compute.amazonaws.com/css/linuxsys |
|
| Details | Url | 4 | http://ec2-54-191-168-81.us-west-2.compute.amazonaws.com/css/config.json |
|
| Details | Url | 4 | http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/linuxsys |
|
| Details | Url | 4 | http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/config.json |
|
| Details | Url | 4 | http://95.85.93.196:80/h4 |
|
| Details | Url | 4 | http://112.133.194.254/cron.sh |
|
| Details | Url | 4 | http://112.133.194.254/check.sh |
|
| Details | Url | 4 | http://112.133.194.254/config.sh |